From 386a6edb6d2d1d2cd3e9c9de8d85dc7bfda60d34 Mon Sep 17 00:00:00 2001 From: Daniel Lenski Date: Sat, 20 Nov 2021 13:12:34 -0800 Subject: [PATCH] Refuse to handle forms without ->auth_id (but do it in the right place, and noisily) MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit In 0b47ea1882346fdedfcd8a315f51aeb39e13459e ("Refuse to handle forms without ->auth_id"), the process_auth_form_cb for the OpenConnect CLI was modified to silently reject forms with auth_id unset. Issues with this: 1. If a form doesn't have its auth_id set, it'll fail *silently*, which makes it confusingly difficult to identify the root cause. (See #351.) 2. As that commit message says, GUIs/front-ends need the auth_id to be set, but it didn't do anything to enforce it other than for the CLI. The solution is to reject forms with auth_id unset in process_auth_form() itself, rather than expecting the front-ends’ callback functions to check this, and to do so with an error message explaining that this is a bug in OpenConnect. Signed-off-by: Daniel Lenski --- library.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/library.c b/library.c index 4448118d..37b7f9bc 100644 --- a/library.c +++ b/library.c @@ -1532,6 +1532,10 @@ int process_auth_form(struct openconnect_info *vpninfo, struct oc_auth_form *for vpn_progress(vpninfo, PRG_ERR, _("No form handler; cannot authenticate.\n")); return OC_FORM_RESULT_ERR; } + if (!form->auth_id) { + vpn_progress(vpninfo, PRG_ERR, _("No form ID. This is a bug in OpenConnect's authentication code.\n")); + return OC_FORM_RESULT_ERR; + } retry: auth_choice = NULL; -- 2.49.0